Palo Alto PAN-OS Single Sign-On (SSO) Integration Guide

This guide provides instructions for integrating Genian NAC with Palo Alto PAN-OS for Single Sign-On (SSO).

Overview

This document describes installation and configuration steps to integrate Genian NAC (Network Access Control system) with Palo Alto PAN-OS (Next Generation Firewall).

By sharing user authentication information between both products, users authenticated by Genian NAC can access internal systems without additional authentication on PAN-OS. PAN-OS uses the user-node mapping from Genian NAC to apply user-based access control policies.

Purpose of Integration

The integration of Genian NAC and PAN-OS provides the following benefits:

Single Sign-On (SSO)

• Genian NAC enforces login for users connecting to the network. PAN-OS eliminates the need for additional authentication, enabling user-based policies.

User-Based Policy and Information Consistency

• Using Genian NAC's accurate user information resolves discrepancies due to new hires, department changes, or work location changes.

Authentication and Access Control Process

1. User authenticates on Genian NAC
2. Genian NAC sends authentication information (IP, User-ID) to PAN-OS (XML API or Syslog)
3. PAN-OS binds IP with user info
4. PAN-OS tags IP with user info
5. PAN-OS enforces user-based policies

Pre-requisites

Network Pre-requisites

• Verify connectivity between Genian NAC Policy Center and Palo Alto PAN-OS.
• This guide provides both XML API (HTTP,HTTPS) and Syslog methods.

Integration Method	Recommended (High Security)	Easy Setup (High Connectivity)
XML API	HTTPS (8443)	HTTP (80)
Syslog	TLS (6514)	UDP (514)

Genian NAC port info is available at System > Service Management > Access Port in the UI.

Integration using XML API

PAN-OS Configuration for XML API Integration

This section describes configuration steps specific to integrating Palo Alto PAN-OS with Genian NAC.

Step 1: Create an Admin Role to Handle User Authentication Information

Navigate to Device > Admin Roles and click Add to open the Admin Role Profile window.

Enter the following values in the Admin Role Profile window:

Setting Item	Value	Note
Name	Genian_NAC_SSO	Set a name for the Admin Role
Description	Describe the purpose of the Admin Role	Optional
XML API Tab	Enable all items (You may skip Report, Export, and Import if not required)	Enable: Report, Log, Configuration, Operational Requests, Commit, User-ID Agent, Export, Import

Step 2: Create an Administrator account to process user credentials

Navigate to Device > Administrator and click Add to open the Administrator window.

Enter the following values in the Adminstrator window:

Setting	Value	Note
Name	Genian_NAC	Account name
Authentication Profile	None	Leave unset
Client Cert Auth (Web)	Disabled	Not used unless API-Key via cert
Public Key Auth (SSH)	Disabled	Leave unset
Admin Type	Role Based	Inherit role from Step 1
Profile	Genian_NAC_SSO	Use same name as Admin Role
Password Profile	None	Leave unset

Step 3: Generate API Key to Send User Authentication Information

Use a web browser to access:

https://<PAN-OS IP>/api/?type=keygen&user=<username>&password=<password>

You will receive the following result:

#script
<response status='success'>
<result>
<key>LUFRPT1KbW80SU1hRXJuNk5XNHBudUhCNGMydE0rSUk9RFIzdEJ5RGcwWkRCVlhYMXl0Q1FPdz09
</key>
</result>
</response>

Use this generated API Key for Genian NAC to send authentication data to PAN-OS.

Step 4: Configure PAN-OS to Accept Authentication Info from Genian NAC

Navigate to Network > Zone, enable User Identification, and click OK. (Authenticated users are assigned permissions)

Genian NAC Configuration for XML API Integration

Genian NAC sends authentication logs to PAN-OS using XML API (webhook).

Step 1: Create Log Filter for Authentication Logs

Navigate to Audit > Log Search

Since it needs to be sent to PAN-OS when the user is authenticated, the log search conditions are applied as follows.

Setting Item	Value	Note
Log ID	Authentication	Select from dropdown
Description	User authenticated	Keyword for authentication logs

Confirm logs exist, then save the filter.

Step 2: Configure Event Trigger to Send Log to PAN-OS

After saving the filter, configure the following:

Setting Item	Value	Note
Name	Send User Login Info	Filter name
Description	Send user login logs to PAN-OS
Webhook	Enabled	Calls XML API on login
Tag	Assign: Target=User, Destination=Node, Tag=AuthenticatedUser

Webhook Settings:

Setting Item	Value	Note
Method	POST
URL	https://<PAN-OS-IP>/api/?type=user-id&action=set&key	PAN-OS IP
CHARSET	UTF-8
POST Data	See POST data below
Data Type	multipart/form-data
API-Key	Use API Key from Step 3

POST Data Example:

<uid-message>
  <version>1.0</version>
  <type>update</type>
  <payload>
    <login>
      <entry name="{ID}" ip="{_IP}" timeout="20" />
    </login>
  </payload>
</uid-message>

Syslog Integration

PAN-OS Configuration for Syslog

The description of PAN-OS settings covered in this document is limited to the part for integration with Genian NAC.

Step 1: Configure Syslog Parser

1. Navigate to Device > User Identification > User Mapping
2. Click Edit in the User-ID Agent Setup tab
3. Click Add to create a new Syslog Parse Profile:

Setting Item	Value	Note
Syslog Parse Profile	Genian_NAC	Profile name
Description		Optional
Type	Field Identifier	Syslog type
Event String	USERAUTH	Unique identifier from NAC
Username Prefix	ID=	Prefix for user ID
Username Delimiter	,	Delimiter
Address Prefix	IP=	Prefix for IP
Address Delimiter	,	Delimiter

Step 2: Configure Syslog Sender

Navigate to Device > User Identification > User Mapping , then click Add in the Server Monitoring section and write the following in the User Identification Monitored Server settings window:

Setting Item	Value	Note
Name	Genian_NAC	Name
Description		Optional
Enabled	Enabled	Enable profile
Type	Syslog Sender
Network Address	<Genian NAC IP>	NAC Policy Server IP
Connection Type	UDP	Choose between SSL and UDP
Filter	Genian_NAC	Apply matching filter

Step 3: Enable Syslog Listener

Go to Network > Network Profiles > Interface Mgmt > Add:

1. Network Profile: Allow Genian NAC
2. Select User-ID SYSLOG Listener-SSL or User-ID SYSLOG Listener-UDP

After completing the settings and clicking 'OK', you will be taken to the interface management profile.

Step 4: Allow Interface Access for Genian NAC

Navigate to Network > Interfaces, and in Advanced > Interface Mgmt Profile, select Allow Genian NAC.

Then click Commit to apply settings.

Genian NAC Configuration for Syslog

This describes the process of configuring Genian NAC to send logs generated when a user authenticates to PAN-OS as Syslog.

Step 1: Create Authentication Log Filter

Go to Audit > Log Search:

Since it needs to be sent to PAN-OS when the user is authenticated, the log search conditions are applied as follows.

Setting Item	Value	Note
Log ID	Authentication	Select from dropdown
Description	User authenticated	Keyword filter
When searching for logs with the above conditions	check if there are logs related to user authentication and then save them.

Step 2: Configure Syslog Transmission

After saving, configure the following:

Setting Item	Value	Note
Name	Send User Login Info	Filter name
Description	Send logs to PAN-OS
SYSLOG Send	Enabled	Send Syslog on login
Tag	Assign: Target=User, Destination=Node, Tag=AuthenticatedUser

Syslog Settings:

Setting Item	Value	Note
Server Address	PAN-OS IP
Method	UDP	Choose UDP or TLS
Port	514	UDP (514), TLS (6514)
Format	Default	Choose Default or CEF
Syslog Message	USERAUTH, ID={ID}, IP={_IP}
CHARSET	UTF-8	Generally UTF-8

Testing Integration

After completing the linkage configuration, test the operation as follows

1. Verify via CLI

Command:

show user ip-user-mapping all

Expected output:

IP                Vsys     From     User     IdleTimeout(s)   MaxTimeout(s)
------------    -------   -------  -------   --------------   -------------
172.29.101.1     vsys1    XMLAPI   genian             1111            1111

Total: 1 users

2. Verify via Web UI

Go to Monitor > Logs > User-ID and confirm login records from Genian NAC.